Dedicated SSL - correct procedure


#1

Wondering the correct procedure after purchasing DEDICATED SSL:

  1. Should you disable UNIVERSAL SSL after purchasing DEDICATED SSL? Any other changes to the CRYPTO page neccesary to activate it?

  2. Do you still need to create and install ORIGIN CERTIFICATE at your host like with UNIVERSAL SSL? (To have both links in the chain encrypted with SSL)

  3. If the ORIGIN CERTIFICATE was created using the CF CRYPTO DASHBOARD, does one need to GENERATE A NEW CSR in cPanel, or is that only necessary if you create the KEY and CERTIFICATE from cPanel instead of CF DASHBOARD? (Both KEY and CERTIFICATE is uploaded/installed, and SSL for domain configured in cPanel, but no CSR ON SERVER is listed.)

Freshman trying to get the basics of SSL here.
Many thanks, Christoffer


#2
  1. Don’t know because I don’t have one. But, if you look on the cert in your browser and see that the CN is for your domain (and not sni.cloudflare.com), then you use your dedicated cert and no need to disable Universal.

  2. This has nothing to do with dedicated SSL. It is a way to secure communications between Cloudflare and your origin server IF you have no other way. Meaning, if for example you already have an SSL certificate on your origin (you had SSL prior to switching to Cloudflare), then Cloudflare can use the existing SSL certificate on your server to communicate securely with it. If you did NOT have a certificate, and would like secure communication between Cloudflare and your origin, you must use a certificate that Cloudflare will accept: either a standard certificate that your browser will accept (can also be free, like Let’s Encrypt’s certificate, or the one that I think cPanel can generate with their own CA), OR, you can use Cloudflare’s origin certificate which is a NON-trusted certificate (by anyone else; meaning, if you stop using Cloudflare and send your users directly to your server, they’ll get a certificate error).

  3. The certificate must match the private key. So, unless you have provided Cloudflare with a public key from a CSR generated by your management interface, Cloudflare can’t know the public key for the private key on your server, Cloudflare cannot, technically, issue a certificate that matches it. So, if Cloudflare does not cater for supplying a CSR (I think they don’t), then the only option is that they produce both the key and cert, and you then have to install both on your origin. Or, as mentioned before, use a standard TRUSTED certificate, maybe with automatic renewals, like Let’s Encrypt or cPanel, if your host supports it.


#3

Thanks for clarifying. The dedicated cert is showing once I turned of UNIVERSAL SSL, but it might have been a time issue as well - not sure.

Second question, true - I used CF to issue a CSR - both key and cert, installed both on origin via cPanel. Not sure how to verify that this works/is operative but seems fine - all green checkmarks.

Again, thanks for the quick reply. Christoffer


#4

If you set your SSL mode under Crypto tab to “Full (Strict)” and your site still loads, that means that Cloudflare is able to securely connect to your server. If it can’t, your site will fail to load, because secure communication could not be made with the origin (which is the point of this mode, that everyone SHOULD use)


#5

OK, understand. Full - Strict demands that the whole chain is secured. Seems to be working fine. Security is a big topic for a freshman as myself. Thanks for explaining so well. C


#6

You’re welcome :slight_smile:


closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.